[arch-general] Sébastien Luttringer and Tobias Powalowski
NicoHood
archlinux at nicohood.de
Sun Jul 2 21:55:35 UTC 2017
On 07/02/2017 11:38 PM, Eli Schwartz wrote:
> Let's make this clear: None of these claims are true! At all! Not even
> one of them!
You just say its not true, but that is wrong. I've wrote a statement for
every link he pointed out in which way it is valid or not.
> You have grabbed the troll bait! Please don't do that. Also, you're wrong.
You are also a troll, as you just block with "STOP TROLLING". That is
even more annoying to me.
> Posting about these packages and attempting to shame their maintainers
> on the mailing list is unacceptable, in the way posting to the mailing
> list about the chemical composition of peanut butter is unacceptable.
Yes, we should not shame specific people, I've learned this myself. He
picked a few packages from few maintainers. We DO have SERIOUS security
issues in PGBUILDs that we CAN fix, but just dont, because of no obvious
reason.
> systemd is validated with GPG, it doesn't matter whether the download
> transport is checked against the cacert system. GPG already ensures that
> this package cannot sneakily use a source that isn't signed with the
> validpgpkeys.
Yes the GPG signature of the tag commit is checked. However you can
attack the git metadata and set a tag to a different commit. If this
commit is signed, but at an older stage which is vulnearable, we have an
issue. Just one example. So we should always also secure the transport
layer.
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias
You are just complaining the loudest. Doesnt mean you are right, nor
better. If we just fix our PKGBUILDs, noone can troll.
How do you think can we improve the PKGBUILD security if we reject
suggestions like this? What would be your plan? Waiting for an attacker
to proof that we should have fixed our PKGBUILDs earlier?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170702/0143d7ad/attachment-0001.asc>
More information about the arch-general
mailing list